NYCPHP Meetup

NYPHP.org

[nycphp-talk] SSH2_CONNECT

Leam Hall leam at reuel.net
Fri Jul 31 20:16:57 EDT 2009


Also, maybe change "2> /dev/null" to 2>/tmp/error.log
to see what it says.

Leam

Leam Hall wrote:
> Hey Michele.
> 
> Can you edit /etc/sudoers? You might be able to give it the NOPASSWD 
> option, to at least shorten it a bit.
> 
> Can you read /var/log/messages and the web server log to see if they say 
> anything?
> 
> Leam
> 
> Michele Waldman wrote:
>> So I rewrote the code in bash due to my client's concern about bandwidth.
>>
>> Here's my new problem:
>> $msg = exec("echo $password | sudo /home/user/site_util/copy_sites $id 2>
>> /dev/null");
>>
>> The script isn't running.
>>
>> Since it's running from http, I modified the user nobody to have 
>> /bin/bash
>> in /etc/passwd and gave the user a password.
>>
>> I can login to the server as nobody and run this code on the command 
>> line.
>> Works fine.
>>
>> Does anyone know why this execute isn't working in php?
>>
>> Michele
>>
>>> -----Original Message-----
>>> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
>>> On Behalf Of Kenneth Dombrowski
>>> Sent: Friday, July 31, 2009 7:33 AM
>>> To: NYPHP Talk
>>> Subject: Re: [nycphp-talk] SSH2_CONNECT
>>>
>>> On 09-07-30 17:05 -0400, Ajai Khattri wrote:
>>>> Most probably your PHP script will be running under the same 
>>>> username as
>>>> Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you
>>>> wouldn't want to give www or nobody sudo privilege anyway!).
>>> All this talk about sudo not working made me curious -- why shouldn't it
>>> work?  It will, and a well configured sudo offers a very fine level of
>>> control -- though whether one wants to do it is another question
>>>
>>> # visudo
>>> Defaults:www-data       !lecture
>>> Defaults:www-data       !authenticate
>>> www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache
>>>
>>> The first two lines get rid of sudo's usual prompts, since it will never
>>> run interactively, & the last specifies a single command + argument
>>> www-data is allowed to run as kenneth (you can use shell-style globs)
>>>
>>> # sudo.php
>>> <?php
>>> header('Content-type: text/plain');
>>> $f = '/tmp/sudoer.apache';
>>> system("sudo -u kenneth /usr/bin/touch $f");
>>> print "\n$f exists? " . (bool) file_exists($f);
>>>
>>> kenneth at gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
>>>    /tmp/sudoer.apache exists? 1
>>> kenneth at gilgamesh:~$ ls -l /tmp/sudoer.apache
>>> -rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache
>>>
>>> So on debian, www-data successfully created a file as kenneth.  On 
>>> FreeBSD
>>> I think www/nobody/whatever has a /bin/false shell, so there it won't
>>> work.  Of course, you shouldn't do it on shared hosts, and I'm sure
>>> somebody will tell me you shouldn't do it at all, but its not due to a
>>> technical limitation
>>>
>>>
>>> _______________________________________________
>>> New York PHP User Group Community Talk Mailing List
>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>
>>> http://www.nyphp.org/show_participation.php
>>
>> _______________________________________________
>> New York PHP User Group Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> http://www.nyphp.org/show_participation.php
>>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> http://www.nyphp.org/show_participation.php
> 



More information about the talk mailing list